Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Network

Status
Not open for further replies.
Sep 16, 2009
11
US
I need help in setting up access list that will allow anything on 192.168.1.x to access everything on 172.20.x.x but will not allow 172.20.x.x to access anything on 192.168.1.x.

Thanks
 
As long as the 172.20.x.x network is on a lower security level interface, you shouldn't need any access list to accomplish that. There is a default implicit access list that allows all traffic from higher security level interfaces to lower security level interfaces. For instance, this is a common config:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

E1 would be able to access anything on E2 and E0.
E2 would be able to access anything on E0, but nothing on E1.
E0 would not be able to access anyting on E1 or E2.
 
Both subnets access the same interface on the router. The 172.20.x.x is setup as secondary subnet gbe 0/1
 
Is this a router, or a Pix? That makes a pretty big difference. Also, are you using a Cisco switch with seperate VLANs?
 
This is a Cisco 2821 Router. We are not using managed switches at this time, they will be added later.
 
Below is the config that I thought should work but it seems to be blocking traffic in both directions.

access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 remark DENY PERIMETER
access-list 107 deny ip host 172.20.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 deny ip host 172.10.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 deny ip host 172.10.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 deny ip 68.216.232.168 0.0.0.3 any
access-list 107 deny ip host 255.255.255.255 any
access-list 107 deny ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any


 
So, hosts for both of the subnets reside on the same unmanaged switch, and you have your router configured with sub interfaces and plugged into the unmanaged switch?
 
I have never tried that using an unmanaged switch, but I don't think it can work. If you are using subinterfaces on the router, it is going to tag the frames with VLAN information. You need a managed switch that can have a trunk port that will understand those tags, and also divvy the remaining ports up into the two different vlans. This is a descent article that describes Router On A Stick, which is what you are trying to do.
 
The other option is to use a second interface on the router, and use a second physical switch.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top